tm-tests

# Security Test Generation

## Purpose

Generate security test cases from your threat model to:

- Create attack scenario tests for each threat
- Generate control verification tests
- Build security regression test suites
- Map test coverage to threats and controls

## Usage

```
/tm-tests [--format markdown|jest|pytest|playwright] [--category <name>] [--control <id>] [--output <path>]
```

**Arguments**:
- `--format`: Test output format (default: markdown)
- `--category`: Filter by threat category
- `--control`: Generate tests for specific control
- `--output`: Output directory

## Test Categories

### Attack Tests (Negative Tests)
Tests that attempt to exploit vulnerabilities:
- Verify threat is blocked/detected
- Simulate attack scenarios
- Test security boundaries

### Control Tests (Positive Tests)
Tests that verify security controls work:
- Verify control is active
- Test expected behavior
- Validate configuration

### Regression Tests
Tests that prevent security regressions:
- Run on every commit/PR
- Verify fixes remain in place
- Detect control degradation

## Test Output Formats

### Markdown Documentation
```markdown
# Security Test Cases

## Authentication Tests

### TEST-001: Credential Stuffing Prevention

**Threat**: THREAT-001 - Credential Stuffing Attack
**Control**: CONTROL-001 - Rate Limiting

#### Test Scenario
1. Attempt 6 failed logins from same IP within 1 minute
2. Expected: 6th request should be blocked (429 Too Many Requests)

#### Steps
1. POST /api/auth/login with invalid credentials
2. Repeat 5 more times
3. Verify 6th request returns 429

#### Expected Results
- First 5 requests: 401 Unauthorized
- 6th request: 429 Too Many Requests
- Response includes retry-after header

#### Pass Criteria
- Rate limit enforced at configured threshold
- Appropriate error response returned
- Event logged for security monitoring
```

### Jest/TypeScript
```typescript
// security-tests/auth-security.test.ts

describe('Authentication Security', () => {
  d